b'                \xc2\xa0\n\n                \xc2\xa0\n\n                \xc2\xa0       U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n                        OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                        Results of Technical Network\n                        Vulnerability Assessment:\n                        EPA\xe2\x80\x99s Region 6\n                        Report No. 12-P-0659                    August 10, 2012\n\n\n\n\nScan this mobile code\nto learn more about\nthe EPA OIG.\n\x0c Report Contributors:\t                               Rudolph M. Brevard\n                                                     Warren Brooks\n                                                     Scott Sammons\n                                                     Jeremy Sigel\n\n\n\n\nHotline \n\nTo report fraud, waste, or abuse, contact us through one of the following methods:\n\ne-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\nphone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\nfax:       202-566-2599                                       Mailcode 2431T\nonline:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                                12-P-0659\n                                                                                                         August 10, 2012\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review              Results of Technical Network Vulnerability\nWe sought to assess the             Assessment: EPA\xe2\x80\x99s Region 6\nsecurity configurations of the\nU.S. Environmental Protection        What We Found\nAgency\xe2\x80\x99s (EPA\xe2\x80\x99s) Region 6\nwireless network infrastructure.    Our vulnerability assessments of EPA\xe2\x80\x99s Region 6 wireless network infrastructure\nWe sought to conduct network        found no security weaknesses. However, our vulnerability testing of networked\nvulnerability testing of the        resources located at Region 6 facilities identified Internet Protocol addresses with\nRegion 6 Local Area Network         potentially 35 critical-risk, 217 high-risk, and 878 medium-risk vulnerabilities.\nto identify resources that          Additionally, our server room assessments revealed a lack of adequate\ncontained commonly known            monitoring of environmental controls, the lack of a process to ensure only\nhigh-risk and medium-risk           authorized personnel are approved for access to server rooms, and the existence\nvulnerabilities. We also sought     of unsecured and unlogged media in the server rooms. If not resolved, these\nto assess the physical controls     vulnerabilities could expose EPA\xe2\x80\x99s assets to unauthorized access and potentially\nand environmental controls          harm the Agency\xe2\x80\x99s network.\naround critical information\ntechnology assets located in         Recommendations and Agency Corrective Actions\nRegion 6. We conducted this\naudit as part of the annual         We recommend that the Senior Information Official within Region 6 provide the\nreview of EPA\xe2\x80\x99s information         Office of Inspector General a status update for every critical-risk, high-risk, and\nsecurity program as required by     medium-risk vulnerability identified by the scanning tool; create plans of action\nthe Federal Information             and milestones in the Agency\xe2\x80\x99s Automated Security Self-Evaluation and\nSecurity Management Act.            Remediation Tracking system for all vulnerabilities according to Agency interim\n                                    procedures; perform a technical vulnerability assessment test of assigned\nFurthering EPA\xe2\x80\x99s Goals and          network resources within 60 days to confirm completion of remediation activities;\nCross-Cutting Strategies            and remediate all identified physical and environmental control weaknesses\n                                    identified in the server rooms.\n\xef\x82\xb7 Strengthening EPA\xe2\x80\x99s\n  Workforce and Capabilities        Region 6 representatives acknowledged the existence of the vulnerabilities that\n                                    we identified and stated they have begun developing corrective actions to\n                                    address the risks related to these weaknesses.\n\n                                    The detailed testing results have already been provided to Agency\n                                    representatives. Due to the sensitive nature of the report\xe2\x80\x99s technical findings, the\n                                    technical details will not be made available to the public.\n\n\n\n\nFor further information, contact\nour Office of Congressional and\nPublic Affairs at (202) 566-2391.\n\nThe full report is at:\nwww.epa.gov/oig/reports/2012/\n20120810-12-P-0659.pdf\n\x0c                       UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                    WASHINGTON, D.C. 20460\n\n\n                                                                                  THE INSPECTOR GENERAL\n\n\n\n\n                                          August 10, 2012\n\nMEMORANDUM\n\nSUBJECT:\t Results of Technical Network Vulnerability Assessment:\n          EPA\xe2\x80\x99s Region 6\n          Report No. 12-P-0659\n\n\nFROM:\t         Arthur A. Elkins, Jr.\n\nTO:\t           Lynda Carroll\n               Senior Information Official\n               Region 6\n\n\nThis is our quick reaction report on the subject audit conducted by the Office of Inspector\nGeneral (OIG) of the U.S. Environmental Protection Agency (EPA). Due to the sensitive nature\nof the technical findings, we are issuing this report for urgent management remediation. The site\nassessments were conducted in conjunction with our annual audit of EPA\xe2\x80\x99s information security\nprogram as required by the Federal Information Security Management Act. This report provides\nthe summary of our security assessments of networked resources located at EPA\xe2\x80\x99s Region 6\noffice in Dallas, Texas, and laboratory in Houston, Texas.\n\nOur tests disclosed that network resources at the Region 6 office and laboratory contained\npotentially a combined 35 critical-risk, 217 high-risk, and 878 medium-risk vulnerabilities.\nOur server room assessments revealed a lack of adequate monitoring of environmental controls,\nthe lack of a process to ensure only authorized personnel are approved for access to server\nrooms, and the existence of unsecured and/or unlogged media in the server rooms. We provided\nyour office representatives with the technical results during our site visit to facilitate immediate\nremediation actions.\n\nWe performed this audit work from February through August 2012 at EPA\xe2\x80\x99s Region 6 office in\nDallas and laboratory in Houston. We performed this audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient and appropriate evidence to provide a reasonable basis for our findings\nand conclusions based on the audit objectives. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions.\n\n\n\n12-P-0659                                                                                              1\n\x0cWe conducted testing to identify the existence of commonly known vulnerabilities using a\ncommercially available network vulnerability assessment tool recognized by the National\nInstitute of Standards and Technology (NIST). We interviewed EPA personnel responsible for\nmanaging the network resources located in Region 6. We reviewed relevant EPA interim\nprocedures to obtain an understanding of the Agency\xe2\x80\x99s Automated Security Self-Evaluation and\nRemediation Tracking system used for recording identified weaknesses. We tested the Internet\nProtocol addresses associated with network resources located in the Region 6 office and\nlaboratory. We used the risk ratings provided by the vulnerability software to determine the level\nof harm a risk could pose to a networked resource due to the vulnerability and accepted the\nresults from the software tool as the level of risk to EPA\xe2\x80\x99s network. Upon follow-up with your\noffice representatives, they acknowledged the existence of the vulnerabilities and stated that\nsome mitigation activities had already begun related to these risks.\n\nWe performed an inspection of EPA\xe2\x80\x99s Region 6 server rooms with key information technology\n(IT) personnel to assess the physical controls and environmental controls around IT assets. We\ninterviewed Agency IT staff to determine the extent to which IT equipment is protected from\nphysical, environmental, and human threats. We used NIST Special Publication 800-53,\nRecommended Security Controls for Federal Information Systems and Organizations, as the\ntemplate for evaluating IT security controls around the server rooms. Appendix A includes a\nsummary of our findings at the server rooms assessed and our recommendations by site.\n\nWe also conducted testing of EPA\xe2\x80\x99s Region 6 wireless infrastructure to identify any possible\nconfiguration weaknesses using a commercially available wireless scanning tool. Specifically,\nwe performed tests to identify whether any unauthorized wireless devices existed on the region\xe2\x80\x99s\nnetwork. We also performed tests to determine whether the wireless encryption protocols being\nused on the region\xe2\x80\x99s wireless local area network were sufficient to secure it. We found no\nweaknesses during either of these tests.\n\nRecommendations\n\nWe recommend that the Senior Information Official within Region 6:\n\n       1.\t Provide the OIG a status update for all identified critical-risk, high-risk, and\n           medium-risk vulnerability findings from the technical scanning tool within 30 days of\n           this report.\n\n       2.\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security Self-\n           Evaluation and Remediation Tracking system for all vulnerabilities according to\n           Agency procedures within 30 days of this report.\n\n       3.\t Perform a technical vulnerability assessment test of assigned network resources\n           within 60 days to confirm completion of remediation activities.\n\n       4.\t Establish written procedures for granting authorized access to Region 6 server rooms\n           in Dallas and Houston.\n\n\n\n12-P-0659                                                                                         2\n\x0c       5.\t Sanitize and secure all used drives kept in the Houston server room in addition to\n           logging their receipt, rotation, and/or disposal.\n\n       6.\t Establish a process for continuous monitoring of Dallas and Houston server rooms\xe2\x80\x99\n           environmental conditions by personnel or real-time monitoring by existing IT\n           equipment with environmental monitoring capabilities.\n\n\nAction Required\n\nPlease provide written responses to this report within 30 calendar days. You should include a\ncorrective actions plan for agreed-upon actions, including milestone dates.\n\nDue to the sensitive nature of the report\xe2\x80\x99s technical findings, the technical details are not\nincluded in this report and will not be made available to the public. The OIG plans to post on the\nOIG\xe2\x80\x99s public website the corrective action plans that you provide to us that do not contain\nsensitive information. Therefore, we request that you provide the response to recommendation 1\nin a separate document; we will not make that response available to the public if it contains\nsensitive information.\n\nYour responses should be provided as Adobe PDF files that comply with the accessibility\nrequirements of Section 508 of the Rehabilitation Act of 1973, as amended. Except for your\nresponse to recommendation 1, which will not be posted if it contains sensitive information, your\nresponses should not contain data that you do not want to be released to the public; if those\nresponses contain such data, you should identify the data for redaction or removal.\n\nIf you or your staff have any questions regarding this report, please contact Patricia H. Hill,\nAssistant Inspector General for Mission Systems, at (202) 566-0894 or hill.patricia@epa.gov; or\nRudolph M. Brevard, Product Line Director, Information Resources Management Assessments,\nat (202) 566-0893 or brevard.rudy@epa.gov.\n\n\n\n\n12-P-0659                                                                                        3\n\x0c                                  Status of Recommendations and\n                                    Potential Monetary Benefits\n\n                                                      RECOMMENDATIONS                                                               POTENTIAL MONETARY\n                                                                                                                                     BENEFITS (in $000s)\n\n    Rec.    Page                           Subject                            Status1        Action Official            Planned     Claimed    Agreed-To\n    No.      No.                                                                                                       Completion   Amount      Amount\n                                                                                                                          Date\n\n     1        2     Provide the OIG a status update for all identified          U       Senior Information Official,\n                    critical-risk, high-risk, and medium-risk vulnerability                      Region 6\n                    findings from the technical scanning tool within\n                    30 days of this report.\n\n     2        2     Create plans of action and milestones in the                U       Senior Information Official,\n                    Agency\xe2\x80\x99s Automated Security Self-Evaluation and                              Region 6\n                    Remediation Tracking system for all vulnerabilities\n                    according to Agency procedures within 30 days of\n                    this report.\n\n     3        2     Perform a technical vulnerability assessment test of        U       Senior Information Official,\n                    assigned network resources within 60 days to                                 Region 6\n                    confirm completion of remediation activities.\n\n     4        2     Establish written procedures for granting                   U       Senior Information Official,\n                    authorized access to Region 6 server rooms in                                Region 6\n                    Dallas and Houston.\n\n     5        3     Sanitize and secure all used drives kept in the             U       Senior Information Official,\n                    Houston server room in addition to logging their                             Region 6\n                    receipt, rotation, and/or disposal.\n\n     6        3     Establish a process for continuous monitoring of            U       Senior Information Official,\n                    Dallas and Houston server rooms\xe2\x80\x99 environmental                               Region 6\n                    conditions by personnel or real-time monitoring by\n                    existing IT equipment with environmental\n                    monitoring capabilities.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n12-P-0659                                                                                                                                                  4\n\x0c                                                                                                 Appendix A\n\n\n       Table of Server Room Assessment Findings and \n\n                  Recommendations by Site \n\nKey: X = Weakness found at location\n\n\n         Issue Reviewed                            Recommendations                     Houston      Dallas\n\nLack of written procedures for           Establish written procedures for granting\nauthorizing access to the server         authorized access to Region 6 server rooms      X            X\nrooms.                                   in Dallas and Houston.\nLack of environmental controls to\nmonitor server room temperature and      Establish a process for continuous              X            X\nhumidity and alert personnel of          monitoring of Dallas and Houston server\nemergency.                               room\xe2\x80\x99s environmental conditions by\n                                         personnel or real-time monitoring by\nCharged wet-piped fire suppression       existing IT equipment with environmental\nsystem leaves uncovered server racks     monitoring capabilities.                        X\nsusceptible to water damage.\n\nUn-sanitized data drives with EPA\ninformation not logged and left                                                          X\n                                         Sanitize and secure all used drives kept in\nunsecured within server room.\n                                         the Houston server room in addition to\nNo logging of rotation of backup         logging their receipt, rotation and/or\ntapes or transportation/receipt at the   disposal.                                                    X\nAddison offsite storage facility.\n\n\n\n\n12-P-0659                                                                                                    5\n\x0c                                                                                Appendix B\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nRegional Administrator, Region 6\nSenior Information Official, Region 6\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nSenior Agency Information Security Officer\nAudit Follow-Up Coordinator, Region 6\n\n\n\n\n12-P-0659                                                                                6\n\x0c'